Briefing: CBR talks to Technical Lead Dylan DeAnda about speed, scale and simplicity.
On a cyber security professional’s wish list, visibility over the enterprise’s network would rank consistently near the top – and a company called Tanium is determined to reinvent it.
Since it hit the market in 2012, Tanium has certainly been making its voice heard. It has been named in Fortune’s top 25 most important private companies and boasts among its customers the US Department of Defence, eight of the world’s top ten banks, Amazon and Nasdaq.
The company was founded in 2007 by a father and son team and was in stealth mode for five years. In 2012 it came to market after working with four key beta customers on the platform. Since 2014 the staff has grown from 50 people to 500.
The industry is certainly taking note. In September 2015, a new funding round involving investment from TPG, Institutional Venture Partners and Franklin Templeton and Geodesic Partners pushed Tanium’s value to $3.5 billion.
So what exactly is Tanium offering, and why is it so revolutionary?
Tanium’s Technical Lead, Dylan DeAnda, explains to CBR that there are three things he wants to emphasise about the product: “speed, scale and simplicity.”
He describes Tanium as “Google search for your enterprise.”
The basic sales pitch is this: what if you could get up to date information about what was going on on your network in 15 seconds?
DeAnda says that there are five questions that he asks potential customers.
“How many endpoints are there on the network, what apps are installed, what are users doing, what are the vulnerabilities and have you been breached?”
The answers to these questions is constantly changing, but the information would take weeks to collect. DeAnda explains that the size of modern IT estates has made current technology woefully inadequate to collect the amount of information that would be needed to answer such questions.
He says that traditional systems did a good job of achieving visibility at a small scale but once it got past 10 or 20,000 endpoints it started to slow down.
“What do we need to do to get information faster across faster and complex estates? The technology that is being used today is not going to ever get us there.”
This technology is the hub and spoke model. This involves a central server with a database and 10,000 clients directly connected to it. The query has to be sent to each endpoint by the server.
“If you ask them to do patches, and they need to query all patches, it generally takes a week or so.”
Tanium had already decided that the hub and spoke model was fundamentally broken.
The “secret sauce”, as DeAnda calls it, is Tanium’s architecture.
“When I install an agent on an endpoint,” he explains, “it gets a list of neighbours from server and forms this dynamic chain.”
Only the first and last endpoint connect directly to the server. When a query is sent, the endpoint takes the query from the server and sends it around the ring. The endpoints send their response to the next one in the ring.
Finally, the last endpoint in the chain aggregates all of the responses and sends them back to the server.
The chain is self-healing, assembled in order of ascending IP address. If an endpoint drops off the network, the chain is reconstructed between its two neighbours.
One benefit of this is shifting all of this traffic from the wide area network to the local area network: about 99 percent of traffic.
According to DeAnda, a single Tanium server can handle over one million endpoints and get results in 15 seconds that would take days, weeks or months with the hub and spoke model.
The system does not just provide visibility. The console can also deploy packages to tackle threats, using the same distributed architecture. The packages are split into smaller chunks and sent round the ring. Tanium gets administrator privileges once when it is installed on the endpoint and then can roll out whatever it needs to.
The final selling point DeAnda highlights is the simplicity of the console. It uses a simple natural language parser, which allows the operator to ask questions in basic language.
These questions could be how many users are using what operating system, what the IP addresses of certain machines are or what processes are running across endpoints.
DeAnda uses a few real-world examples to highlight where his company’s product might have been of use.
For example, breached telco TalkTalk’s CEO Dido Harding was asked a range of questions by reporters, such as how many machines were affected.
After US retailer Target was breached, cyber security forensics experts were called in. It took them six weeks to find the extent of the damage.
DeAnda also highlights a US government department that was able to prove it hadn’t been hacked using Tanium technology.
To be the Google of the enterprise is a quite an ambition, but to talk to DeAnda, the company fancies its chances.